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Abstract 

A new 4-pass Key- Agreement-Protocol is presented. The security of the protocol 
mainly relies on the existence of a (polynomial-time computable) One- Way-Function 
and the supposed computational hardness of solving a specific system of equations. 
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1 Introduction 

At the end of a Key- Agreement-Protocol two parties, say Alice and Bob, share a common 
bit string s. During the protocol they are allowed to exchange a fixed number of messages 
mi, i = 1 , . . . , r, over a public channel. The protocol is called secure, if no algorithm exist 
that computes the string s from the rat's in a polynomial number of steps. Whether 
secure Key-Agreement-Protocols exist is still an open issue, although quite a few have 
been proposed - maybe the most popular being the Dime-Hellman-Protocol [2], where 
the security is linked to the task of computing the element y of a given cyclic group 
from the elements y a and y b . 

In this article, we present a new Key-Agreement-Protocol that uses four rounds of 
message exchange. Its security mainly relies on the existence of a (polynomial-time 
computable) One- Way-Function and the supposed computational hardness of solving a 
specific system of equations. 



2 The Protocol 

Public data: Suppose Alice and Bob want to exchange a secret key. They start 
by agreeing on a positive integer u and a prime p of size ~ 2 v ' TLlogn . They further 
agree on a random matrix C := (ct j ) t ^ G Fp Xn , with i, j £ {],..., n}, and an injective 
(polynomial-time computable) One- Way- Function h. : F p — > {0,1 } m , where F p denotes 
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the finite field with p elements. 

Private data: Next, Alice (resp. Bob) chooses a random element a £ F p (resp. 
(3), n random bits ti , . . . , t n (resp. Si , . . . , s n ) and a random permutation cr on the set 
{1 , . . . ,n} (resp. p), all of which she (resp. he) keeps secret. 

The computations that follow are all taking place in the finite field F p . 

First round: Alice computes for j = 1 , . . . , n: 

n 

\H ■= ^tiCij + <r(j)a (1) 

and sends (u.j)j to Bob. 

Second round: Bob computes for i = 1 , . . . , n: 



TL 



■vt := ^SjCy + p(i)P and T A :=^SjUj (2) 
j=l j=l 



and sends (('Vi)i,T A ) to Alice. 

Third round: Alice computes for k = 1 , . . . , n ^~ 1 - : 

n 

h(T A — ka) and t b := t(Vi (3) 

1=1 

and sends ( (h(T A — kcx) )\^, Tg) to Bob. 

Final round: Bob computes for I = 1 , . . . , — ^ — - the list (H(tb — l|3)h until he 
finds ko and lo, such that 

h(T A -k a) =H(t b -Io(3) (4) 

and sends ko to Alice. 

Alice and Bob now share a common element g := t a — koa = Tb — lo|3. 

3 Analysis 

We start by showing the correctness of the protcol and calculate the computational cost: 



Theorem 1 After the final step both parties share a common element g. The number of 
computational steps on both sides equals 0(n 2 • cost of evaluation of h). 

Proof. The correctness of the protocol follows from the easy observation that 

n n 

x A = Y_ ttSjCy + <xY_ Sjcr(j) = g' + ak', 
y=i j=i 

and respectively 

n n 

t b = tiS i Ci .i + I 3 H ttPW = 9' + PV, (6) 
1,3=1 i=l 

and the fact that 1 ^ k', I' ^ n(n — 1 )/2, which means that at least one pair of integers 
(ko> lo) within the given range exists, such that g := Ta — koa = Tb — lop. The number of 
computational steps is also clear, since Bob can sort the list (H(ta — k<x))k in 0(n 2 logn) 
steps, while the evaluation of the injective function h, requires Q(logp) operations. □ 

The above protocol gives rise to the following 

Challenge 1 Given n, p, h, C, (vt)t, Ta, Tb, (H(ta — ka))^ and ko, compute an 

element g, such that H(g) = H(ta — koa). 

We (i.e. the author of this article) are not aware of any lower bound for the number of 
steps it takes to compute the element g from Challenge [TJ 

In what follows, we will present an algorithm that conjecturally requires Q(2 £ ^ nlogn ) 
operations, for some constant e > 0. 

We will try to compute the secrect bits ti,...,t n of Alice. As is easily seen, the 
knowledge of these bits will lead in a polynomial number of steps to the secret key. At 
the beginning there is only one equation for these bits, that is 

xtvi + . . . + x n y n = tb. (7) 

Now, heuristically speaking, while there are 2 n ways to select the values of the X{S but 
only p ~ 2^ nlogn possible values for Tb, there are approximately 2 n ~ logp ~ 2 TL ' 1 ~V l °9 TL / TL ) 
solutions to equation ((Jj) (in the language of Knapsack-Cryptography, we could speak 
of an ultra-high density Knapsack, since the density of this Knapsack tends to infinity [3]). 

The other equations from ((TJ) involving the tt's can not be used immediately, since 
the permutation a and the element a are both secret, but we can try to get rid of a by 
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(5) 



guessing r values of the permutation cr, say a'(1 ),..., a' (r), which gives us r — 1 additional 
equations: 

^Xi(o / (2)c i ,i-a / (1)ct )2 ) = a'(2)^~a'(])ii 2 
^xJo-'^Cij-cr'mc^) = cr'Ojm-o-'mm 

^x i (a'(r)ci 1 i-o 7 (1)c i , T ) = a'(r)m - a'(1 

Again, by the same heuristic argument, the system of these equations together with 
equation (JT]) has approximately 2 TL ~ Tlogp ~ 2 rL ' 1_T v /lo 9 n / TL ' solutions, which means that 
we can not even be sure whether our guess was right, unless n — rlogp ~ log K u, for some 
constant k. 

To summarize the discussion, the probability of guessing enough equations to com- 
pute the ti (where we did not even talk about the computational cost of really solving 
these equations) is about n~ eTl / lo SP ~ 2 _£ ^ rLlogn , for some constant £ > 0, which is, at 
least from a theoretical point of view not too far away from the probability of guessing 
the secret a (resp. the secret key g) directly. 

It is almost superfluous to say that these heuristic considerations do not prove 
anything about the security of the stated protocol. Nevertheless, in the author's opinion, 
Challenge [1] seems worth further investigation. 
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